Dell Technologies has reset your password. Yep, it’s true. The company released a statement saying someone took it upon him or herself to start perusing in the company network early in November. The attack was stopped in its tracks, but Dell has reset all customer account passwords as a precaution. So if you’re wondering why your old one doesn’t work, that’s why. However, they didn’t put the kibosh on it before the intruder may have accessed names, email addresses, and hashed passwords.

Yes, certainly go change your password if you do have a Dell account. Even though the company said those were hashed, they didn’t say with what technology. Not all of them are difficult to crack. And even Dell has forced a password reset out of precaution.

When re-creating that password, make sure to consider the basic guidelines for a strong one:

As for the email addresses, you may think that it’s not a big deal for someone to steal that. After all, it’s not really private. We give them out freely quite often. It’s a way to reach you, just like your physical address or work address. However, it really IS significant when bad actors get ahold of your email address. This is because every time they break into an account somewhere, they know a little more about you; like that you have a Dell account and therefore likely have or have had a Dell product. They can use that knowledge to craft targeted email spam messages to you. Then, you are far more likely to click links or open attachments.

Just remember to take a few seconds and recall whether or not you asked for anyone to send you email with links or attachments. If you didn’t, certainly don’t click on them. The key is that if you are not expecting something to arrive in email, be suspicious. Take a second to verify it before acting. Pick up the phone and make a quick phone call. Send a quick text to the sender and ask if the link was intended, or when in the office make a quick visit to the sender’s office or desk. Those few extra moments may save you a lot of time and frustration later.

Dell has employed a digital forensics company to help with additional investigation and is working with law enforcement. There is likely more news to come on this. Therefore, even though Dell said no payment information was accessed, it’s wise to watch those payment card statements for suspicious activity too.

PayPal phishing schemes are fairly common these days. Many, or even most of them are generic in nature. In other words, they don’t target a specific person or group. They are merely crafted in such a way that they can be sent to a large number of people at one time as spam. However, sometimes they arrive as if they could actually be from PayPal and are specific or somehow related to the recipient. This is called spear-phishing, because the attacker has some information which he can spear his target specifically. This tactic is more likely to result in success for the phisher.

Spear-phishing campaigns are on the increase and the use of PayPal as the bait is increasing in sophistication with each new campaign. Cisco researchers have found several versions of imposter PayPal web sites that are so well done, they can trick even the most phishing-savvy person into falling for the scams behind them.

What is making it even more problematic is that these phony websites are actually legitimately registered, sometimes even with actual security certificates attached. Many, such as one of the primary ones used – redirectly-paypal.com– are registered through a site called Wix. A list of many of the other fake ones is listed here:

Unfortunately, the fake sites use the color schemes, text styles, and images from the actual PayPal site, making them nearly impossible to detect. Some have also registered with very popular and legitimate hosts, such as CyrusOne LLC, which also hosts CarFax and Dell. However, there are some ways to tell if one is trying to trick you:

Check the website name in the address bar. It should be “paypal.com” and have the “https” in front, as well as the secured site text and lock icon. If you’re using the U.S. site, it may even display as “paypal.com/us/home” and the “us” may be changed to the country for the site you’re using. For the German site, the “us” in that URL is replaced with “de,” for example.

Check for the little country flag in the lower corner of the site. As of time of writing, it’s in the lower right corner as you scroll down the site. If the site is in the U.S., that flag will be the U.S. flag.

If you see anything prior to the “.com” other than the word “paypal,” or anything prior to the word “paypal,” it is likely fake. In other words, the only thing that should be between the dots is the word “paypal,” followed immediately by the “.com.”

The green text, the lock, and the “https” are all positive, though not always definitive indicators of the legitimate site.

Some of these phishing sites actually try to get users to enter credentials other than the ones for PayPal. A common one attempts to spoof an Apple credential verification page. However, Apple and PayPal are not related, so an Apple login page should not show up.

Another site uses Spanish language but targets English speakers. If the text is in another language, those behind it are most definitely up to no good.

It’s likely more of these sites and those using other well-known companies will be popping up in the future. If you need to verify credentials or check something in your account for any online account, go directly to a bookmarked link or type in the address manually, being careful not to make typos. Then login there to do your sanity checks or to make changes. Don’t click on links in email messages to do this, even if you think they may be real. It’s just safer not to.

Details:
Dell Technologies released a statement earlier in November that someone had been caught in its systems and trying to extract data. The IT professionals discovered it immediately and put a stop to it. They are not releasing the number of customers affected, but said information that may have been accessed includes names, email addresses, and hashed passwords. All passwords have been reset by Dell and spokespeople don't believe the data has been inappropriately used. However, investigations are continuing and users are urged to watch for fraudulent charges on the method of payment they may have used on the site and create a strong password the next time logging in.

Security Recommendations:
At this time it is still unknown what data may have been compromised, though the best action at this time is to watch your card statements and be cautious of any suspicious phone calls or emails for attempted phishing.

Research shows that your closest cybersecurity threat could be you. Studies have found that since 2015, cybercriminals have been gravitating to social engineering that exploits human nature. Emails are a favorite tool for many reasons and call for recipients to be on guard. Knowing what to look for and how to react to it are the key to avoiding becoming a victim of fraud, identity theft, or a data breach.

Email Phishing

A sense of urgency is the most popular and effective phishing hook. Anyemail requiring an urgent response is likely phishing bait.

Enable security filters for email programs. ISP’s (internet service providers) offer different filter level options. You can always change security settings if you need to. You may need to contact your provider to find out your options with this.

If you doubt the sender is legitimate but want to be sure, verify it with the company directly. Call or type the company URL (web address) into your browser window. Never use the URL provided in the email and never reply directly to a suspicious email message.

Always check that a site is secure. You should see “https” instead of “http” before the URL. Also, never give out any information on a website that doesn’t have the encrypted “lock” icon to the far left of the URL. In some cases, the text preceding the address may turn red if a site is suspect.

Spam Email

Spam emails are the cyber equivalent of junk mail (one look in your spam folder should be proof enough). The safest type of email spam is the unopened and deleted spam email. They’re annoying at best and harmful at worst – don’t let them fool you into being click bait.

Enable the spam filters offered by your ISP. There are usually different levels of spam filters offered, so use a level you’re comfortable with. If the default filter level isn’t sufficient, you should be able to increase it.

If you’re not expecting a link or attachment, don’t open it. Unwanted and unexpected emails are the spammer’s calling card. Hover your mouse over the sender’s URL and the link to verify that any sender is who they say they are and the link goes where you expect it to go. The URL’s should match. If they don’t, delete it.

Resist the temptation to open a spam email looking for an “unsubscribe” button or link. The unsubscribe options on many spam emails is a cyber thief favorite. It’s very possibly a ruse that can release a flood of malware for the “unsubscriber.” Instead, just report it as spam to your email provider when possible and delete it regardless.

Social Engineering is alive and well. It is used so often by cyber criminals because it works and often times, it's simple and even low tech. The old ways of getting information and stealing identities still work, such as pickpocketing, but the number one social engineering technique is still phishing email messages.

Following are some examples of ways information was acquired by the "good guys" to prove how simple it can be done and to make people aware, which really is most of the battle. All of the below tests were done ethically and the people or companies performing the tasks were either paid by the company to test their security or to prove a point and any physical items taken were returned.

Let's start with the least technical, but still very effective pickpocketing. While you may immediately question if it's really social engineering, think about street performers, airport lines, concerts and other places where everyone is happy and distracted. Jim Stickley of Stickley on Security is infamous for robbing his friends. In one case, he was traveling with a colleague and noticed that the colleague carried his identification and credit cards in the back pocket of his backpack. When Jim questioned him, he said it was safer than having it separate when he travels. That is understandable as a wallet is one more thing to keep track of when travel gets so hectic. Well, when they were in line to check in, Jim unzipped the backpack and lifted his driver's license and credit cards, zipped up the pocket, and just kept talking.

When eventually they got to the check-in counter, he was called out and came clean, but he's really a novice and the professionals will use all kinds of ways to get that information including using magic tricks and children as decoys and distractions.

Always keep those items close by and in front pockets whenever possible. While they can still be taken, it is more difficult.

Don't carry credit cards you are not using. Most people use one card, but have many others in their wallets. If you don't need or use them, leave them in a secure place at home.

Never carry your social security card with you. Lock it in a safe place at home.

Always stay aware when in crowded places full of distractions and zip or button your pockets and purses. It just adds one more layer of complication for a pickpocket.

Trustwave did their version of phishing to gain user login names and passwords. Nathan Drier and colleagues sent email messages to employees at a company pretending to be the IT department. The message explained that their external webmail server was upgraded and everyone needed to log in with their credentials. There was a link in the message that the employees clicked and therefore forfeited their user names, passwords, and in some cases their VPN access credentials. That kind of information can allow an attacker to get additional privileges on the network and do all kinds of damage.

Don't fall for clicking a link or opening an attachment in email messages, regardless of who sends them and even if they're sent to your home address, unless you verify it separately first. If IT sends a message asking you to click something, make a call to the department or physically go check when possible, and verify that it's legitimate.

If you have any suspicion of links or attachments in email messages, don't click them. Hackers can do damage to your home network or use your devices to perform malicious attacks against others.

Dumpster diving is not social engineering in and of itself. However, a lot of information can be found in dumpsters that provide avenues into a company or someone's home or life. They are rarely locked and many companies or people don't bother to shred documents, even those that have confidential information. And once the trash bin goes onto the street, the contents are fair game.

Stickley says that the lesson here is to shred everything. Even if you don't think it's important, it still might be to someone else.

Invest a little more in a criss-cross shredder that also shreds credit cards and CDs. Even though CDs aren't used so much anymore, they are still often found lingering in files when it's time for spring cleaning. So, better to have the capability to shred them when it's needed.

Nathan Drier of Trustwave was once able to convince an employee that the workstation he was occupying and installing a backdoor onto was being fixed by him. And by picking up the phone and making a couple of calls, Stickley once convinced an employee to give him her password by pretending to be from the IT group of a company. This ultimately gave him VPN access directly into the company's network.

Don't leave workstations unlocked when you get up to leave. Not only does that allow your co-workers to send embarrassing emails from your account, but it leaves a gaping hole in the security of the organization for people like Drier and Stickley.

Never give passwords to anyone, in person or via phone. Even if you think the "IT guy" can get it anyway so what's the problem, don't give it to him.

Stickley is quite the actor and has often convinced people he's an electrician, from a pest control company, an OSHA inspector, or even a flower delivery person in order to get past the front desk and roam around a company. Being any number of service providers, cyber criminals can do many things. This isn't just at the office, but also at home. A common scam in neighborhoods is for someone pretending to be an alarm company, knocking on the door and asking all kinds of questions about the security of the home in order to provide a quote. With all the wireless home security systems these days, any information about that can open all kinds of doors.

At home, never give information to someone going door to door. If you are truly interested in the service, contact the company separately and not using information provided by the door to door sales rep.

Always ask for credentials from door-to-door reps. Most locales require them to get permits and show them to you whenever they solicit business at homes.

Ask questions of anyone that looks unfamiliar to you if you suspect they don't belong in the neighborhood or at the office. The more questions you ask, the less likely they will stick around to do harm.

Don't trust someone claiming to be the IT guys or tech support if he or she asks for your passwords. They don't need you to give them to them.

The best defense against social engineering tactics is education, whether it's your family or your employees. And don't forget to have the conversations with the kids. With all the internet-connected devices they use now, they are not only a link in the chain, but a very important one.

We use cookies to give you a more relevant browsing experience and improve our website. Using this site means that you agree with our use of cookies policy.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

This Privacy Policy applies to and is provided on behalf of Stickley on Security. (collectively referred to as "We", "Us", or "Our") and describes Our information gathering
practices and policies in connection with this Site. We value your ("User", "You", or "Your") privacy and recognize the sensitivity of Your personal information. We are
committed to protecting Your personal information and using it only as appropriate to provide You with the best possible service, products, and opportunities. Use of this
Site constitutes consent to Our collection and use of personal data as outlined herein.

COLLECTION AND USE OF PERSONAL INFORMATION FROM SITE USERS

We collect personally identifiable information from Users who provide it to us for billing purposes. For example, We collect Your name, street address, city, state, zip
code, telephone number, email address, and financial information, such as a credit card number, if You use the Site to register or renew a license. We may use this
information to contact You regarding the status of Your account and orders placed, and to alert You to new information, products and services, events and other
opportunities. We recognize that You may wish to limit the ways in which You are contacted and provide You with opt-out options below. Information about Our experiences and
transactions with you, such as your payment history, types of services and/or products you purchased are not shared with organizations outside of Stickley on Security.

We will not disclose to third parties (that is, people and companies that are not affiliated with Us) individually identifying information, such as names, postal and e-mail
addresses, telephone numbers, and other personal information, except to the extent that it is necessary to process and provide You with Your order, license request or
other request. Your contact information may also be provided to the extent necessary to comply with applicable laws or legal processes (e.g., subpoenas), or to meet contractual obligations outlined in this policy, or to protect Our
rights or property. We will cooperate with all law enforcement authorities.

If Your order, license request or other request is processed by a third-party, or if You are provided with bulletin boards and chat rooms and/or email capabilities on
this Site, please note that in the event that You voluntarily disclose personally identifiable information in those instances, that information, along with any substantive
information disclosed in Your communication or post, can be collected, correlated and used by third parties. This may result in unsolicited messages from third parties. Such
activities are beyond Our control, and We encourage You to check the applicable privacy policy of such party when providing personally identifiable information.

For each visitor to this Site, Our server can detect and collect certain information, including the User's domain name and e-mail address, and can identify the Web pages the
User visited or accessed. We may use this information in order to measure interest in and use of the various areas of the site.

We do not knowingly solicit information from children and We do not knowingly market the Site or its services to children.

OPT-OUT

You may at any time opt out of having Your personal information used by Us to send You promotional correspondence by contacting Us via e-mail provided in the "Contact Us"
section below.

PROMOTION CODES

"Promotion codes" are offered by third-party affiliates of the Stickley on Security Training Videos. If you choose to include a "Promotion Code" when placing your order, the affiliate who is associated with that promotional code will receive your organizations name. They will NOT however receive any other information related to your account. The sharing of the organization name only applies when a "Promotion Code" is included during the order process.

USE OF COOKIES

1. First-party cookies
User input cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session, or persistent cookies limited to the duration of an operation such as purchase or trial;
User identification persistent cookies, to identify the user visited the website for the first time;
Authentication cookies, to identify the user once he has logged in, for the duration of a session;
user interface customization cookies such as time zone and shopping cart status info, for the duration of a session (or slightly longer).

2. Third-party cookies
social plug in content sharing cookies, for logged in members of a social network;
Google Analytics cookies to generate statistical data on how the visitor uses the website.

How do we use them?
Where strictly necessary. These cookies and other technologies are essential in order to enable the Services to provide the feature you have requested, such as remembering you have logged in.

For functionality. These cookies and similar technologies remember choices you make such as time zone and shopping cart info. We use these cookies to provide you with an experience more appropriate with your selections and to make your use of the Services more tailored.

For performance and analytics. These cookies and similar technologies collect information on how users interact with the Services and enable us to improve how the Services operate. For example, we use Google Analytics cookies to help us understand how visitors arrive at and browse our products, services and website to identify areas for improvement such as navigation, user experience, and marketing campaigns.

Social media cookies. These cookies are used when you share information using a social media sharing button or .like. button on our websites or you link your account or engage with our content on or through a social media site. The social network will record that you have done this. This information may be linked to targeting/advertising activities.

How can you opt-out?
To opt-out of our use of cookies, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use our Services.

Updates to this Cookie Policy
This Cookie Policy may be updated from time to time. If we make any changes, we will notify you by revising the "effective starting" date at the top of this notice.

INFORMATION SECURITY AND CONFIDENTIALITY

We maintain physical, electronic and procedural safeguards to prevent the unauthorized release of or access to Your personal information. When We transfer and receive
certain types of sensitive information such as financial information, We redirect visitors to a secure server. We do not store or reuse Your credit card information. We do
not record or manager financial information about You (including credit card and other payment information). However, such precautions do not guarantee that this Site is
invulnerable to all security breaks. We make no warranty, guarantee, or representation that the use of this Site is protected from viruses, security threats, or other
vulnerabilities and that Your information will always be secure. We cannot guarantee the confidentiality of any communication or material transmitted to/from Us via the Site
or e-mail. Use of the Internet is solely at Your own risk and is subject to all applicable local, state, federal, and international laws and regulations.

THIRD PARTY PROCESSING

Stickley on Security uses the vendor Authorize.net to process all payment transactions. When making a purchase on this site, You also accept the Terms and Conditions and
Privacy Policy of Authorize.net.

CONTACT US

This Privacy Policy may be updated periodically and posted on this Site. It applies only to Our online practices and does not encompass other areas of the organization. We
reserve the right to change this Policy at any time by posting revisions. By accessing or using the Site, You agree to be bound by all of the Terms of this Privacy Policy as
posted at the time of Your access or use. We reserve the right to contact Users of the Site regarding changes to the Terms and Conditions generally, this Privacy Policy
specifically, or any other policies or agreements relevant to the Site's Users. If You have any questions about this Policy, You may email to:

Keep up with the latest cyber security news through our weekly Fraud News & Alerts updates.
Each week you will receive an email containing the latest cyber security news, tips and breach notifications.

Simply complete the form below and you're all set.

You're all set!

You will receive your first official security update email within the next week.
A welcome email has also just been sent to you. If you do not receive this email within the next few minutes, please check your Junk box or spam filter to confirm our emails are not being blocked.